Stripe Identity Verification
Warning
This article promotes the deprecated Payments
module, which is not following best practices like Commands and Events, and does not use our core module. We recommend using pos-module-payments-stripe instead.
As part of their commitment to meet legislation that is imposed on payment providers by federal financial regulatory authorities, Stripe follows strict protocols and has implemented algorithms to comply with legal requirements. This topic collects relevant information from the Stripe documentation and explains these protocols and algorithms in detail.
Legislation Requirements
Every country has its own requirements when it comes to paying out funds to individuals and companies. These are typically known as “Know Your Customer” (KYC) regulations.
Regardless of the country, the broad requirements are:
- Collecting information about the individual or company receiving funds
- Verifying the information is accurate
Instead of requesting all possible information from everyone, to optimize user experience, ideally you should only request the information required by the capabilities that are assigned to the connected account (in the case of a marketplace, sub accounts of members linked to the marketplace Stripe account). Information requirements for a given capability for each connected account can vary depending on factors such as business type, country, and activity.
Identity Verification
Verification requirements vary depending on:
- The country where the connected account is located.
- The capabilities the account has (only applicable to connected accounts in the U.S.).
- Whether the business entity is a company or an individual.
Typically, there are two sets of information that need to be collected and verified. The first set enables charges and the second set enables payouts. For example, to enable charges for a company in the U.S., you might need to collect:
- Information about the business (e.g., name, address)
- Information about the person opening the Stripe connected account (e.g., name, date of birth)
- Beneficial owner information (e.g., name, personal address)
Thresholds
The second set of information (typically required for connected accounts in the U.S.) enables payouts and needs to be collected after certain thresholds are reached. These thresholds vary, but they often have a processing element and a time element. For example, after 30 days from the first charge, or after $1,500 (USD) in charges are created (whichever comes first), Stripe requests this second set of information. Using the previous example, this additional information might include:
- The last four digits of an owner’s social security number (SSN)
- A scan of an ID document
Requirements by country
For a detailed description of requirements by country for individuals, companies, LLCs, sole proprietorships, and partnerships visit Required Verification Information.
Algorithms
Stripe has implemented different algorithms (just like eBay and other commerce enabled marketplaces) to assess risk and require action by users selectively.
Note
Because of the different risk assessment results, country requirements, and thresholds, the identity verification workflow might be different for each separate user of the same Stripe enabled solution. Also, you should be aware that the identification verification steps vary between individuals and companies.
-
Example steps of risk assessment and verification for a marketplace:
Each member/merchant is assessed separately/individually by Stripe risk assessment algorithms. -
The marketplace as a whole is assessed by Stripe risk assessment algorithms.
-
Dynamically, as triggered by Stripe algorithms, they might request additional information from certain members/accounts; like an ID document, date of birth, or the last four digits of the SSN.
Note
If the Stripe algorithms still assess the person is a high risk, then the Stripe gateway might request the full SSN.
-
Stripe provides API web hooks where such requests will be made on users dynamically as assessed; you can configure your marketplace to automatically request the information from that User. Once the data is submitted through the form, it is pushed back to Stripe where it is recorded securely, thus meeting Stripe’s risk mitigation requirements.
Resources
- Stripe — Know Your Customer (KYC)
- Stripe — Identity Verification
- Stripe — Required Verification Information
- Stripe — Capabilities Overview